1 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>21.5. Predefined Roles</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="role-removal.html" title="21.4. Dropping Roles" /><link rel="next" href="perm-functions.html" title="21.6. Function Security" /></head><body id="docContent" class="container-fluid col-10"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">21.5. Predefined Roles</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="role-removal.html" title="21.4. Dropping Roles">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="user-manag.html" title="Chapter 21. Database Roles">Up</a></td><th width="60%" align="center">Chapter 21. Database Roles</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 18.0 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="perm-functions.html" title="21.6. Function Security">Next</a></td></tr></table><hr /></div><div class="sect1" id="PREDEFINED-ROLES"><div class="titlepage"><div><div><h2 class="title" style="clear: both">21.5. Predefined Roles <a href="#PREDEFINED-ROLES" class="id_link">#</a></h2></div></div></div><a id="id-1.6.8.9.2" class="indexterm"></a><p>
3 <span class="productname">PostgreSQL</span> provides a set of predefined roles
4 that provide access to certain, commonly needed, privileged capabilities
5 and information. Administrators (including roles that have the
6 <code class="literal">CREATEROLE</code> privilege) can <code class="command">GRANT</code> these
7 roles to users and/or other roles in their environment, providing those
8 users with access to the specified capabilities and information. For
11 </p><pre class="programlisting">
12 GRANT pg_signal_backend TO admin_user;
14 </p><div class="warning"><h3 class="title">Warning</h3><p>
15 Care should be taken when granting these roles to ensure they are only used
16 where needed and with the understanding that these roles grant access to
17 privileged information.
19 The predefined roles are described below.
20 Note that the specific permissions for each of the roles may change in
21 the future as additional capabilities are added. Administrators
22 should monitor the release notes for changes.
24 </p><div class="variablelist"><dl class="variablelist"><dt id="PREDEFINED-ROLE-PG-CHECKPOINT"><span class="term"><code class="varname">pg_checkpoint</code></span> <a href="#PREDEFINED-ROLE-PG-CHECKPOINT" class="id_link">#</a></dt><dd><p>
25 <code class="literal">pg_checkpoint</code> allows executing the
26 <a class="link" href="sql-checkpoint.html" title="CHECKPOINT"><code class="command">CHECKPOINT</code></a> command.
27 </p></dd><dt id="PREDEFINED-ROLE-PG-CREATE-SUBSCRIPTION"><span class="term"><code class="varname">pg_create_subscription</code></span> <a href="#PREDEFINED-ROLE-PG-CREATE-SUBSCRIPTION" class="id_link">#</a></dt><dd><p>
28 <code class="literal">pg_create_subscription</code> allows users with
29 <code class="literal">CREATE</code> permission on the database to issue
30 <a class="link" href="sql-createsubscription.html" title="CREATE SUBSCRIPTION"><code class="command">CREATE SUBSCRIPTION</code></a>.
31 </p></dd><dt id="PREDEFINED-ROLE-PG-DATABASE-OWNER"><span class="term"><code class="varname">pg_database_owner</code></span> <a href="#PREDEFINED-ROLE-PG-DATABASE-OWNER" class="id_link">#</a></dt><dd><p>
32 <code class="literal">pg_database_owner</code> always has exactly one implicit
33 member: the current database owner. It cannot be granted membership in
34 any role, and no role can be granted membership in
35 <code class="literal">pg_database_owner</code>. However, like any other role, it
36 can own objects and receive grants of access privileges. Consequently,
37 once <code class="literal">pg_database_owner</code> has rights within a template
38 database, each owner of a database instantiated from that template will
39 possess those rights. Initially, this role owns the
40 <code class="literal">public</code> schema, so each database owner governs local
42 </p></dd><dt id="PREDEFINED-ROLE-PG-MAINTAIN"><span class="term"><code class="varname">pg_maintain</code></span> <a href="#PREDEFINED-ROLE-PG-MAINTAIN" class="id_link">#</a></dt><dd><p>
43 <code class="literal">pg_maintain</code> allows executing
44 <a class="link" href="sql-vacuum.html" title="VACUUM"><code class="command">VACUUM</code></a>,
45 <a class="link" href="sql-analyze.html" title="ANALYZE"><code class="command">ANALYZE</code></a>,
46 <a class="link" href="sql-cluster.html" title="CLUSTER"><code class="command">CLUSTER</code></a>,
47 <a class="link" href="sql-refreshmaterializedview.html" title="REFRESH MATERIALIZED VIEW"><code class="command">REFRESH MATERIALIZED VIEW</code></a>,
48 <a class="link" href="sql-reindex.html" title="REINDEX"><code class="command">REINDEX</code></a>,
49 and <a class="link" href="sql-lock.html" title="LOCK"><code class="command">LOCK TABLE</code></a> on all
50 relations, as if having <code class="literal">MAINTAIN</code> rights on those
52 </p></dd><dt id="PREDEFINED-ROLE-PG-MONITOR"><span class="term"><code class="varname">pg_monitor</code><br /></span><span class="term"><code class="varname">pg_read_all_settings</code><br /></span><span class="term"><code class="varname">pg_read_all_stats</code><br /></span><span class="term"><code class="varname">pg_stat_scan_tables</code></span> <a href="#PREDEFINED-ROLE-PG-MONITOR" class="id_link">#</a></dt><dd><p>
53 These roles are intended to allow administrators to easily configure a
54 role for the purpose of monitoring the database server. They grant a
55 set of common privileges allowing the role to read various useful
56 configuration settings, statistics, and other system information
57 normally restricted to superusers.
59 <code class="literal">pg_monitor</code> allows reading/executing various
60 monitoring views and functions. This role is a member of
61 <code class="literal">pg_read_all_settings</code>,
62 <code class="literal">pg_read_all_stats</code> and
63 <code class="literal">pg_stat_scan_tables</code>.
65 <code class="literal">pg_read_all_settings</code> allows reading all configuration
66 variables, even those normally visible only to superusers.
68 <code class="literal">pg_read_all_stats</code> allows reading all pg_stat_* views
69 and use various statistics related extensions, even those normally
70 visible only to superusers.
72 <code class="literal">pg_stat_scan_tables</code> allows executing monitoring
73 functions that may take <code class="literal">ACCESS SHARE</code> locks on tables,
74 potentially for a long time (e.g., <code class="function">pgrowlocks(text)</code>
75 in the <a class="xref" href="pgrowlocks.html" title="F.31. pgrowlocks — show a table's row locking information">pgrowlocks</a> extension).
76 </p></dd><dt id="PREDEFINED-ROLE-PG-READ-ALL-DATA"><span class="term"><code class="varname">pg_read_all_data</code><br /></span><span class="term"><code class="varname">pg_write_all_data</code></span> <a href="#PREDEFINED-ROLE-PG-READ-ALL-DATA" class="id_link">#</a></dt><dd><p>
77 <code class="literal">pg_read_all_data</code> allows reading all data (tables,
78 views, sequences), as if having <code class="command">SELECT</code> rights on
79 those objects and <code class="literal">USAGE</code> rights on all schemas. This
80 role does not bypass row-level security (RLS) policies. If RLS is being
81 used, an administrator may wish to set <code class="literal">BYPASSRLS</code> on
82 roles which this role is granted to.
84 <code class="literal">pg_write_all_data</code> allows writing all data (tables,
85 views, sequences), as if having <code class="command">INSERT</code>,
86 <code class="command">UPDATE</code>, and <code class="command">DELETE</code> rights on those
87 objects and <code class="literal">USAGE</code> rights on all schemas. This role
88 does not bypass row-level security (RLS) policies. If RLS is being
89 used, an administrator may wish to set <code class="literal">BYPASSRLS</code> on
90 roles which this role is granted to.
91 </p></dd><dt id="PREDEFINED-ROLE-PG-READ-SERVER-FILES"><span class="term"><code class="varname">pg_read_server_files</code><br /></span><span class="term"><code class="varname">pg_write_server_files</code><br /></span><span class="term"><code class="varname">pg_execute_server_program</code></span> <a href="#PREDEFINED-ROLE-PG-READ-SERVER-FILES" class="id_link">#</a></dt><dd><p>
92 These roles are intended to allow administrators to have trusted, but
93 non-superuser, roles which are able to access files and run programs on
94 the database server as the user the database runs as. They bypass all
95 database-level permission checks when accessing files directly and they
96 could be used to gain superuser-level access. Therefore, great care
97 should be taken when granting these roles to users.
99 <code class="literal">pg_read_server_files</code> allows reading files from any
100 location the database can access on the server using
101 <code class="command">COPY</code> and other file-access functions.
103 <code class="literal">pg_write_server_files</code> allows writing to files in any
104 location the database can access on the server using
105 <code class="command">COPY</code> and other file-access functions.
107 <code class="literal">pg_execute_server_program</code> allows executing programs
108 on the database server as the user the database runs as using
109 <code class="command">COPY</code> and other functions which allow executing a
111 </p></dd><dt id="PREDEFINED-ROLE-PG-SIGNAL-AUTOVACUUM-WORKER"><span class="term"><code class="varname">pg_signal_autovacuum_worker</code></span> <a href="#PREDEFINED-ROLE-PG-SIGNAL-AUTOVACUUM-WORKER" class="id_link">#</a></dt><dd><p>
112 <code class="literal">pg_signal_autovacuum_worker</code> allows signaling
113 autovacuum workers to cancel the current table's vacuum or terminate its
114 session. See <a class="xref" href="functions-admin.html#FUNCTIONS-ADMIN-SIGNAL" title="9.28.2. Server Signaling Functions">Section 9.28.2</a>.
115 </p></dd><dt id="PREDEFINED-ROLE-PG-SIGNAL-BACKEND"><span class="term"><code class="varname">pg_signal_backend</code></span> <a href="#PREDEFINED-ROLE-PG-SIGNAL-BACKEND" class="id_link">#</a></dt><dd><p>
116 <code class="literal">pg_signal_backend</code> allows signaling another backend to
117 cancel a query or terminate its session. Note that this role does not
118 permit signaling backends owned by a superuser. See
119 <a class="xref" href="functions-admin.html#FUNCTIONS-ADMIN-SIGNAL" title="9.28.2. Server Signaling Functions">Section 9.28.2</a>.
120 </p></dd><dt id="PREDEFINED-ROLE-PG-USE-RESERVED-CONNECTIONS"><span class="term"><code class="varname">pg_use_reserved_connections</code></span> <a href="#PREDEFINED-ROLE-PG-USE-RESERVED-CONNECTIONS" class="id_link">#</a></dt><dd><p>
121 <code class="literal">pg_use_reserved_connections</code> allows use of connection
122 slots reserved via <a class="xref" href="runtime-config-connection.html#GUC-RESERVED-CONNECTIONS">reserved_connections</a>.
123 </p></dd></dl></div><p>
124 </p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="role-removal.html" title="21.4. Dropping Roles">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="user-manag.html" title="Chapter 21. Database Roles">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="perm-functions.html" title="21.6. Function Security">Next</a></td></tr><tr><td width="40%" align="left" valign="top">21.4. Dropping Roles </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 18.0 Documentation">Home</a></td><td width="40%" align="right" valign="top"> 21.6. Function Security</td></tr></table></div></body></html>
begriffs.com / projects / ai-pg / blob